From fb08e3655ee2f6f3e84139ab4dd51529bda055c9 Mon Sep 17 00:00:00 2001
From: cinap_lenrek <cinap_lenrek@felloff.net>
Date: Tue, 29 Dec 2020 18:45:42 +0100
Subject: plumber: open rule files as OCEXEC, to avoid leaking them to sub
 commands

---
 sys/src/cmd/plumb/rules.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/sys/src/cmd/plumb/rules.c b/sys/src/cmd/plumb/rules.c
index c5bec452d..4ceb4cad8 100644
--- a/sys/src/cmd/plumb/rules.c
+++ b/sys/src/cmd/plumb/rules.c
@@ -410,11 +410,11 @@ include(char *s)
 	if(n>2 && args[2][0] != '#')
 		goto Err;
 	t = args[1];
-	fd = open(t, OREAD);
+	fd = open(t, OREAD|OCEXEC);
 	if(fd<0 && t[0]!='/' && strncmp(t, "./", 2)!=0 && strncmp(t, "../", 3)!=0){
 		snprint(buf, sizeof buf, "/sys/lib/plumb/%s", t);
 		t = buf;
-		fd = open(t, OREAD);
+		fd = open(t, OREAD|OCEXEC);
 	}
 	if(fd < 0)
 		parseerror("can't open %s for inclusion", t);
-- 
cgit v1.2.3